Diamond
Virus.DOS.Diamond is a memory resident virus on DOS that is somewhat dangerous. The virus was written by Dark Avenger, it is named by the payload in some of the variants. There are 28 variants in 5 versions, represented by the following: *Virus.DOS.Diamond.444 *Virus.DOS.Diamond.568 *Virus.DOS.Diamond.607 *Virus.DOS.Diamond.891 *Virus.DOS.Diamond.1013 There are an additional 3 variants which also belong to this family. Behavior When the virus is loaded into memory, it hooks INT 8 and 21h and infects any executable that is run by writing itself to the end of the file. Some executables may have the string "ZM" instead of "MZ" at the beginning in their code; the virus would still identify them as EXE files and set the string to "MZ" during infection. The virus might corrupt some of the files during execution, causing a system hang or even crash when these programs are run. Variants smaller than 978 bytes (and except 666 bytes) do not check whether its TSR code is already in memory so that it would install one more copy into when it infects a file, which would lead the system to eventually run out of memory. When the virus infects a file, it also extracts 8 binary data from the host program and put it at the later part of its viral code, just before the internal text string. The data are extracted from the absolute positions: For example, given the following binary (first 32 bytes): 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F ----------------------------------------------- E9 3D 1F 0C 01 CD 21 CD 20 90 90 59 52 6F 73 65 47 6F 61 74 20 32 2E 31 35 20 47 6F 61 74 20 46 The resulting string would become: 47 6F 73 65 20 32 2E 31 In ASCII: Gose 2.1 This is used for identification, when the virus stays in memory, the infection size will be hidden from these infected files, if the string exists and matches. All variants feature this mechanism, but only stealthy variants make use of this. Diamond.444 and 465 These variants set a multiplier starting at 1 after being loaded into memory, which adds up the upcoming infection size. The infection behaviors on these two types of executable are different. The virus may infect the file more than once using a loop, before an infection it first calculates the file size after infection, by adding the current file size with its infection size. If it will be larger than or equal to 65,024 bytes (FE00h), it breaks the loop. For any DOS executable matches this condition, the virus will forgive it and return to the host program (if uninfected). For any EXE file in the same case, a system hang may occur after infecting a file larger than this size. The infection size increments by 1 every time after infecting a DOS executable, so that the sequence of the multiplier of the infection size will be "1, 2, 3, 4, 5, 6, ...". So the largest infection multiplier is 145 for Diamond.444 and 138 for Diamond.465, given that the host file is not smaller than the virus themselves. For the case an EXE file is infected, the virus adds the summation of all counts of previous infections to itself, so that the EXE files that are infected after a few counts of infections will become very large. The sequence of the multiplier of the infection size is can be represented by the following formula: Hence the sequence can be deduced as "1, 2, 5, 13, 34, 89", and the largest infection multiplier is 89 because the infection size of upcoming multipliers are much larger than 64KB. If the user resets the system, the count of the multiplier will lost and restore to 1 when the virus is loaded into memory after reset. On running an infected DOS executable would run the virus only without running the host program, while some infected EXE files can run both. Diamond.485 After this variant has been loaded into memory, it infects any executable that is run. After infecting a file, the virus does not return to DOS and results a system hang. It does not check whether a file has been infected and would reinfect it. Diamond.568, 584, 594, 602, 606, 608, 609, 614 and 620 These variants do not infect a file more than once. Except Diamond.602, the virus does not return to DOS that would hang the system after infecting a file. Diamond.606, 609 and 614 do not infect files smaller than themselves. Diamond.607, 621...978, 1013...1110, Greemlin.1146 and RockSteady.666 These variants make use of the extracted 8-byte string to behave stealthy so that there is no file size change can be observed for infected files, and they do not infect files smaller than themselves. Files infected by these variants might be malfunctioned. Diamond.Lucifer.1086 This variant also make use of the extracted 8-byte string to behave stealthy when it is in memory. If the timestamp of a file to be infected by this variant is 12:00 AM, it removes the timestamp so that the infected file will have no last modified time. Memory usage The following table shows the memory usage of the variants. MD5 hash: Note: Binary modification on some variant samples is required in order to test their behaviors. Payload Diamond.444, 465, 485, 607, 614, 621, 624, 626 These variants do not manifest themselves at anyway. Diamond.568, 584, 594, 602, 606, 608, 609 and 620 When the user issues an DIR command or attempts to copy a file, the virus would drive it to run invalid opcode, which may crash the system, a hard reset must be taken in order to reboot the computer. Under DOS 7.1, the system might terminate such task without hanging on it. Diamond.666.b and RockSteady.666 When an infected program is run on 13th of any month, the virus formats the first 10 cylinders in head 0 using INT 13h, and overwrites first 32 logical sectors in C: with garbage, after that the virus resets the system with INT 19h. Diamond.891 This variant attempts to print a big diamond with diamond characters (ASCII 04h) in different color when the minute is 0 and the second is between 0 and 14 of the system time, but failed. Diamond.978 This variant attempts to format the hard drive on Tuesdays, but failed due to a programming error, and it formats the third floppy drive instead. When the minute is 0 and the second is between 0 and 14 of the system time, the virus would attempt to print the big diamond, but due to the errors in code, it would never be displayed. Instead of this, if the user attempts to issue a command during this period, the system would hang by running the illegal instructions of the payload code in an endless loop. Diamond.1013, 1014, 1024, 1050, 1063, 1096, 1110 and Lucifer.1086 These variants attempt to format the hard drive on Tuesdays, but failed due to a programming error, and it formats the third floppy drive instead. When the minute is 0 and the second is between 0 and 13 of the system time, the virus prints a big diamond with diamond characters in different color, and then it would break up and start bouncing on the screen. There is no method to clear the diamond characters except resetting the system. For Diamond.1013, it prints the diamond characters that would not move so that they can be cleared by typing CLS or some other commands. When infections occurs during the payload, the virus also saves the current position of the diamond characters into the host file. Diamond.Greemlin.1146 This variant also prints a big diamond with diamond characters, and would break up and start bouncing on the screen. Additionally, it slows down the system speed by 10%. When an infected program is run on July 14th, it overwrites some sectors on floppy disks and the hard drive. Variants This family has 31 variants in total: *Virus.DOS.Diamond.444 *Virus.DOS.Diamond.465 *Virus.DOS.Diamond.485 *Virus.DOS.Diamond.568 *Virus.DOS.Diamond.584 *Virus.DOS.Diamond.594 *Virus.DOS.Diamond.602 *Virus.DOS.Diamond.606 *Virus.DOS.Diamond.607 *Virus.DOS.Diamond.608 *Virus.DOS.Diamond.609 *Virus.DOS.Diamond.614 *Virus.DOS.Diamond.620 *Virus.DOS.Diamond.621 *Virus.DOS.Diamond.624 *Virus.DOS.Diamond.626 *Virus.DOS.Diamond.666.b *Virus.DOS.Diamond.891 *Virus.DOS.Diamond.978 *Virus.DOS.Diamond.994 *Virus.DOS.Diamond.1013 *Virus.DOS.Diamond.1014 *Virus.DOS.Diamond.1024 (A and B) *Virus.DOS.Diamond.1050 *Virus.DOS.Diamond.1063 *VIrus.DOS.Diamond.1096 *Virus.DOS.Diamond.1110 *Virus.DOS.Diamond.Greemlin.1146 *Virus.DOS.Diamond.Lucifer.1086 *Virus.DOS.Diamond.RockSteady.666 Other details Ah (David) and Rocko are variants of Diamond. Diamond.666.b and RockSteady.666 are later versions of Rocko. There are illegal instructions in the TSR code of Diamond.994 which would lead the system to run into a deadlock after installing the virus to memory. Some stealthy variants may detect other variants using the same technique. Assume file A contains Diamond.624 and file B contains Diamond.626, saying A''+624 bytes and ''B+626 bytes respectively. If file B is executed, Diamond.626 becomes memory resident. Under the DIR command, B would show the original file size (i.e. B bytes), but the size of A will have 2 bytes smaller than that when uninfected. Diamond.444 and 465 contain the internal text string: 9090909090 Diamond.485, 568...626, 891, 978, 994, 1013, 1024 and 1096 contain the internal text string: 7106286813 Diamond.666.b and RockSteady.666 contain the modified internal text string: RocK STeaDY Diamond.1050 contains the internal text string: NEWDIAMOND Diamond.1063 contains the internal text string: DAMAGE!!!! Diamond.1110 contains the internal text string: Jump for joy!!! DAMAGE-B!! Diamond.Greemlin.1146 contains the internal text string: greemlin Diamond.Lucifer.1086 contains the internal text strings: Lucifer © by C.J. C.J. References #Source code of Diamond on VX Heaven #List of variants of the Diamond virus on VX heaven #Description of some of the variants of Diamond on Online VSUM #Description of Diamond on F-Secure Labs zh:Diamond Category:DOS virus Category:DOS Category:Virus Category:TSR